The dependabot.yml file is an optional configuration file that gives you fine-grained control over how Dependabot monitors and updates dependencies (mainly version updates but also security updates) in your repository.
Without a dependabot.yml file, Dependabot can still create security updates for vulnerable dependencies if you've enabled Dependabot security updates in your repository settings. However, you won't receive automated version updates or have control over update schedules and other configuration options.
The dependabot.yml file uses YAML syntax. If you're new to YAML and want to learn more, see Learn YAML in five minutes.
Note
Dependabot alerts are configured in the repository or organization "Settings" tab and not in the dependabot.yml file, see Configuring Dependabot alerts.
What the dependabot.yml file does
The dependabot.yml file controls how Dependabot performs updates on your dependencies. With this file, you can:
For version updates
- Enable automated version updates
- Specify which package ecosystems and directories to monitor
- Set update schedules
- Customize pull request labels, assignees, reviewers, and commit messages
- Control which dependencies to update or ignore
- Configure authentication for private registries
For security updates
- Customize security update pull requests with labels, assignees, and reviewers
- Define target branches for security updates
- Configure private registry authentication
- Set limits on open pull requests
Where to store the dependabot.yml file
You must store this file in the .github directory of your repository in the default branch (typically main). The path is: .github/dependabot.yml.
How the dependabot.yml file works
When you add or update the dependabot.yml file in your repository, Dependabot reads the configuration and begins monitoring the specified package ecosystems according to your defined schedules. When Dependabot finds available updates, it creates pull requests with the dependency changes, following any customization rules you've specified in the configuration.
The configuration file requires the following keys for each package ecosystem to monitor.
version: Top-level field that specifies the Dependabot configuration syntax version.updates: Top-level section where you define each package ecosystem to monitor for updates.package-ecosystem: Defined underupdates, specifies which package manager to update (such as npm, pip, or Docker).directoriesordirectory: Defined under eachpackage-ecosystementry, specifies the location of manifest or dependency definition files.schedule.interval: Defined under eachpackage-ecosystementry, sets how often to check for version updates (daily,weekly, ormonthly).
Basic example
Here's a minimal dependabot.yml file that monitors npm dependencies daily:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
Next step
- Configure your repository so that Dependabot automatically updates the packages you use, see Configuring Dependabot version updates